estimating the safety of digital instrumentation and ...€¦ · to avert mishaps, the system...

ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY

ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)

www.elkjournals.com

………………………………………………………………………………………………

ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND CONTROL

SYSTEMS IN NUCLEAR POWER PLANTS: A CASE STUDY

Mishti Tambe J R Patil

INTRODUCTION

With the swift development of digital

technology, there exist several disputes

concerning variation in technology for the

appraisal of licensing plans. Attributed to this

variation, there is a possibility of having

indefinite shortfalls. Despite numerous

advantages of digital instrumentation and

control systems including self-testing, on-

line diagnostics, enhanced precision, fault

tolerance, and automated sensor calibration

substantiation, there are several gaps such as

software logic faults and unexpected system

interfaces for filtering the digital noise and

depreciations that occur from the effect of

configuration deviations during power [NEI,

2011]. While there are numerous concerns, it

is essential to be acquainted with the

changing technologies.

For authorizing digital I&C systems, there

may perhaps be a possibility for failure in

I&C systems due to a common reason.

Software systems that are alike have been

employed in security systems. However in

the case of an erroneous program

unintentionally devised in the software, the

systems are not accurate and behave

adversely in all the frequencies of the security

systems. According to NRC, to prevent

failures befalling due to common sources in

extremely reliable digital systems, asserting

the quality unaided is not sufficiently

efficient.

THE PROBLEM

Various useful approaches are present for

assuring safety in the conventional electro-

mechanical safety systems. However, the

long-established Nuclear Power Plants

http://dx.doi.org/10.16962/EAPJSS/issn.2394-9392/2014

http://www.elkjournals.com/



………………………………………………………………………………………………

(NPPs) have safety assurance techniques that

are not related to software.

Unlike the hardware systems, the software

systems will not break down as they are an

abstract concept that does not have a physical

realization and may comprise of merely

systematic design faults. This perception of

the software systems confines physically, but

enables encompassing novel and instigating

facets and functionalities in the design

thereby levitating the complexities and

varying the categories of breakdown. In

digital systems, breakdown can be basically

of two types. One, wherein the hardware

crashes similar to the analog hardware and

the safety for these crashes includes having

more number of hardware components of the

same configuration. The second type of

breakdown involves the software crash that

may ensue due to the erroneous programs that

are inept for that system. To overcome these

issues, having redundant channels is not

adequate. As per Knight and Leveson (1986),

creating software with many versions by

diverse groups does not elucidate the

software crashes. However, several

researchers argued with this study, only to

stay in line with it (Knight and Leveson,

1990). Since errors are made systematically,

distinctly developed software probably

contains errors that are a result of common

sources.

The critical software crashes were ascribed to

the requirements stage and not the

implementation stage of the software

(Leveson, 1995). While in several cases, the

crashes have occurred because of omitting

some vital ideas or unsuitable conventions in

the requirements stage. In many other cases,

the software developers may possibly

misinterpret or oversee a specific

requirement that were not expected.

Although the software may cater to the

requirements specified, it may not be feasible

safety wise. Aforementioned, creating

numerous versions of the same software may

not aid for this issue.

Contrariwise, the hardware systems may be

comprehensively inspected disparate from

the software systems and the faults could be

fixed before being used. Besides, the

hardware systems in majority of the cases are

not innovative but they conform to the

standard designs that have been in the

industry for several years. The software used

in the U.S. commercial aircrafts (TCAS II)

for preventing collisions was computed to

comprise of 1020 conditions. Permanency of

the system that enables the testing of the

boundless hardware systems by means of




………………………………………………………………………………………………

interpolation amid the test inputs was not

applicable to discrete-state digital systems.

The software system design is mostly

implemented for overcoming the concerns

dealt with the hardware systems bringing in a

new outlook for efficient systems as reusing

software will not prevail over the issues in the

existing systems (Joyce, 2002; Leveson,

2012). Further Leveson (2004) reported that

the shortcomings of the spacecraft in the last

ten years were due to reusing the software of

the other spacecraft. Since in several cases,

the reuse was effective, the assumption made

was negated.

The stipulation is that the functionality of the

software is the replacement for the hardware;

however, the breakdown occurring from the

software is different from the hardware

breakdown. Considering the failure of the

analog mode annunciator in a NPP, the

screens remain blank indicating failure. On

the other hand, the failure of a digital box

executing similar types of function, the

screens suspend that may seem to be time-

consuming for identifying the exact failure.

Software breakdowns are contemplated to be

ensuing because of the misleading

requirements.

In addition to the longstanding consistency

improving design methodologies being

useless for software, the software is

producing novel categories of crashes and

different causes of crashes that perhaps may

be dissimilar from the consistency of the

distinct elements. According to Leveson

(2012), the software crashes in the systems

are ever more instigated by insecure

interfaces amid functioning elements. The

crashes occurring due to the interface

between the elements are not regulated by the

typical redundancy and overdesign that are

more applicable contrary to the breakdown of

the hardware elements and the businesses

that are incorporating the digital technology

have been subjected to such concerns. The

nuclear power industry normally follows

traditional technologies, however in recent

times, it has approached the level of system

complexity where crashes due to interface

between the elements will progressively

befall.

The desecration of these rudimentary

contributing conventions regarding

breakdowns that transpire during the use of

software signifies that several traditional

methods for assuring safety do not pertain to

the digital modules of the systems. The

difficulty of improving software assurance




………………………………………………………………………………………………

for safety-critical functions and assimilating

the approaches with traditional design and

assurance methods for providing an efficient

way of planning and verifying or authorizing

mixed analog and digital instrumentation in

NPPs.

A POSSIBLE SOLUTION

For incorporating the software systems in

safety assurance, it is essential to take

account of potentially newer types of

breakdowns and their sources due to the

software. This is done by expanding the

present causality models. Typically the

conventional safety engineering analysis and

the planning of these systems undertake a

model comprising of sequence of actions

wherein one sequence of a failure that

subsequently leads to another sequence of

failure that causes a major breakdown.

Leveson (2012) to contradict this matter

instigated a novel causality model for failures

(STAMP - System-Theoretic Accident

Model and Processes), centered on system

theory that involves an extensive outlook on

the failures.

STAMP redevised safety by considering it as

a control problem instead of consistency.

Yet, the breakdown of the elements was

encompassed, however the failures were

ascribed to ensue when the peripheral

turbulences, or insecure interfaces among

system modules are not sufficiently dealt

with, i.e., meticulous, causing in insecure

system performance. Insecure system

performance is demarcated in conditions of

obligatory performance safety constrictions

not yet undergone. For instance, a distinctive

system safety constriction for a NPP is that

the reactor defense system should at all times

introduce neutron absorbing material into the

center when a reactivity deviance is dreaded

or cooling is scarce. If the constriction is not

implemented, under particular situations,

precede to a deplorable release of

radioactivity into the environment.

To avert mishaps, the system design must

carry out the safety constrictions on system

performance. The tangible course that directs

to the privation of control may be

multifaceted and possibly will include

indirect, non-linear, and feedback

relationships amid the actions and the system

modules.

Safety constrictions stipulate the affiliations

among system variables or modules that

establish the safe and safe system states—

perhaps, the power should not be switched on

when the entrance door to the high-power

source is open, aircraft should under no

circumstances infringe lowest disjointing




………………………………………………………………………………………………

necessities; flyers in a war zone should be

competent to ascertain targets as antagonistic

or non-antagonistic; and the public health

system should avoid public contact to filthy

water and food items. In NPPs, frequently

used system-level safety constrictions are

that control shafts need to be implanted into

the center when the reactivity is unrestrained

or when cooling is inadequate. The reactor

should offer adequate amount of cooling to

clear heat and avert mutilation to the reactor,

and a proper fuel covering should be able to

stop leakage of radioactivity. Such complex

performance constrictions can be developed

into more explicit restrictions on the

performance of all the system modules that

collectively will guarantee the system-level

safety constrictions. Mishaps develop from

distinct module performance that encroaches

upon its safety constrictions and from system

module interfaces that interrupt the system-

level safety constrictions.

In addition to the safety restraints, another

vital perception is required in planning safety

as a control problem. In simple systems and

control theory, with the purpose of providing

successful control, the controller should have

a precise model of the course it is monitoring

(See Figure 1). For human regulators, this

model is generally known as the mental

model. Mutually for automatic and human

regulators, the process model or mental

model is expended to ascertain the control

activities that are essential to keep the system

functioning effectually.

The process model comprises of conventions

concerning the operation of the controlled

process and the present status of the

controlled process. Mishaps in multifaceted

systems, predominantly the software

systems, frequently end up in discrepancies

between the model of the process used by the

controller and the tangible process condition

that directs toward the controller offering

insecure control. Commonly, these models of

the controlled system develop to be

inappropriate because of omitting or scarce

response and communication channels. The

software used in the Mars Polar Lander loss

assumed that the spacecraft was on the

surface of the planet and dispensed an order

to detach the inclined engines. In fact, the

spacecraft was 40 meters beyond the planet

surface. A huge number of mishaps relating

to software can be elucidated by erroneous

process models which are also applicable to

human errors. STAMP offers a considerably

more effectual method of planning to

decrease human error instead of handling

human error like machine failure.




………………………………………………………………………………………………

Devising a safety oriented or investigating

the present plan for safety encompasses

producing and examining the controls that

are employed to implement the safety

limitations to guarantee that they will be

operative in making sure the limitations will

be imposed by the system design. A portion

of designing effectual safety controls is

offering the response and inputs essential to

maintain the consistency of the controller’s

model with the real condition of the process.

A significant feature of recognizing the

negative effects includes ascertaining the

reasons of ineffectiveness of the controller

since frequently the process model employed

by the controller was unsuitable or scanty in

a particular manner. (Refer Fig. 1)

Expending these ideas, Leveson (2012)

formed a novel risk assessment method

known as STPA (System Theoretic Process

Analysis) which recognizes the safety

limitations required to be imposed and to

make sure that the system design effectively

implements them. Further, it recognizes the

necessary process model that the controller

wants with the intention of providing ample

amount of control and consequently the data

essential in that process or mental model. In

case the data is dropped or tarnished,

disasters will happen. STPA is mainly a

demanding technique for inspecting the

control loops in the safety control

configuration to discover impending errors

and the latent for scarce control. For the

STAMP frame encompassing existing

accident models that contain the failure of

elements wherein besides recognizing the

risk conditions, STPA also contains the

reasons not incorporated or managed below

par in the outmoded approaches including

software requirements mistakes, failure due

to element interface, multifarious human

decision-making blunders, scarce

synchronization amid manifold controllers,

and supervision and monitoring decision

making.

USING STPA

STPA chiefly helps in recognizing the safety

control prerequisites. There are four

categories of insufficient control that steer to

accidents:

An essential control action is not given or

not pursued.

A wrong or insecure control action is

delivered.

A possibly safe control action is

presented either ahead of time or tardily,

or in the improper sequence.




………………………………………………………………………………………………

A control action that is necessary for

safety is ended in advance.

The outcomes of the investigation can be

noted in a table. A few entities indicate wrong

performance of the system, nonetheless not a

safety problem. If the table is filled for the

risks, the wrong system performances can be

transformed to safety limitations on the

performance of the modules. The challenges

are moderately resolved with this approach.

Further, the rising insecure control activities

must be ascertained wherein the conditions

that lead to the development of these

activities is detected that cause an accident or

failure. STPA is similar to HAZOP that

comprises of a system model while

supervision is given by STPA for checking

the inadvertences in some situations.

Faults in the safety control configuration

recognized by STPA perhaps are employed

to restructure the safety controls.

Consecutively, the model and investigation

methods are made use of for evaluation of the

proposed modifications such as addition or

reinforcement of communication and

response stations so as to guarantee precise

process models and hence amended decision

making. Other modifications include

reorganizing the duties, organizing or

combining omissions, or merely expounding

the conventions and guidelines under which

the system functions.

Some of the prescribed contrasts that were

made between STPA and the traditional

methods like the fault tree analysis; however

STPA seems to be favorable. STPA was

incorporated in the ballistic missile defense

system (BDMS), where it was applied prior

to the deployment and testing of the system.

Using conventional techniques deployment

and testing would typically be overdue to

reduce the risks; however several possible

ways to unintentionally launch were

distinguished. Even though the

circumstances recognized by STPA

comprised of those instigated by impending

failures of the system modules, different

circumstances were likewise found that

comprised of insecure interfaces amid the

elements minus failures.

As per Pereira et al (2006), for carrying out

the evaluation two benefits were prominent:

The endeavor was constrained and

expected to aid the engineers in ranging

the system design. The evaluation was

concluded after the control actions are

verified.




………………………………………………………………………………………………

After developing the control structure and

classifying the possible scarce control

actions, it was easier to highlight the

necessary modifications consistent with

which the control actions have the highest

part in maintaining the system from

converting to a risky condition.

Furthermore, as per Ishimatsu (2010)

cautious appraisal of STPA was prepared by

JAXA for the HTV unmanned spacecraft.

However as human life on the International

Space Station is aboard, arduous NASA risk

investigation principles by means of fault

trees and other investigation approaches had

been exercised and appraised by the NASA

authorities. Shortly, STPA was tested and

implemented to the same system in an

assessment of the method for prospective

usage at JAXA. The aspects causing the risks

in the fault tree analysis were determined by

STPA.

RESEARCH OBJECTIVES

The objective of this research is to validate

the usability, viability, and comparative

effectiveness of expending STPA in the

licensing of digital NPP. STPA has the

probability to increase the present analysis

and authorization or licensing management

with the purpose of offering resources to

measure risks related to the digital

technology in NPP and tools to weigh the

degree to which these risks are amply

alleviated by the system architecture and to

produce references for safety-driven

enhancements when necessary. STPA is

anticipated to be a successful technique at the

management level.

A BRIEF STPA TUTORIAL

STPA comprises of a distinct array of

isolated processes to institute the system data

for the investigation, classifying insecure

control actions, and detecting the sources of

risky control. The outcomes may be

employed to create safety prerequisites and

scheme safer systems. Also, the outcomes

will apply when a system previously subsists,

to assess it pertaining to safety. To initiate,

the specialists must ascertain the accidents

with which they are affected and the risks

associated to those accidents and then build a

model of the safety control structure.

DETECTING ACCIDENTS

Prior to initiating the STPA, a contract

regarding the system-level harms and

accidents will be measured. The harms every

so often comprise of damage to human life,

nevertheless any damage can be

encompassed that is undesirable and should

be averted. For instance, financial shortfalls

including broken tools and an operation




………………………………………………………………………………………………

damage is indicated. The damages that are

contemplated in a NPP are the detrimental

radiation to the people outside as well as

within the plant, defiance of electric power,

intolerable damage of the equipment and

tools and the like. Examples of accidents are

depicted in (Refer Table 1).

The accidents should delineate the eventual

result that requires to be averted and not a

transitional episode. Consider damage of the

coolant which is not a system-level accident

as it does not define the anticipated results

which should be prohibited.

DETECTING SYSTEM RISKS

Detection of the system risks takes place after

the diversity of accidents has been

demarcated. Risks are an array of conditions

that lead to an accident when assimilated with

an unmitigated condition. All the risks are

related to the accidents that befall. The

accidents in which people are subjected to the

toxicity of the chemicals from a chemical

plant impinge upon various aspects which

may be internal or external. The related risks

of this accident should delineate the aspects

that can be regulated in the system design.

While risks cannot be regarded as failure,

risks are the factors that lead to failure.

However, all risks do not lead to failure of the

system i.e. in several cases failure of the

system is due to external conditions such as

an earthquake, tsunami and the like.

After the accidents have been distinguished

for different risks in the system, the overall

examination of the system reflects upon all

the risks in depth and detects the associated

underlying aspects and conditions. As

accidents and risks define the interface

concerning the system and the corresponding

environment, there is trivial need for the

system to ascertain them. Risks can be

regurgitated as the safety checks that should

be imposed to avoid the risks and further the

accidents that are caused by them.

MODELING THE SAFETY CONTROL

STRUCTURE

The safety control structure is a well-

designed control model that accentuates the

system safety, and the approaches that

implement the safety. During the design

phase of the system, the model that is

preliminarily designed are complex and

further must be distinguished when the

design decisions are made, preferably

expending the outcomes of the STPA risk

evaluation.

A safety control structure is designed in the

form of a hierarchy, in which the controllers

at the upper levels function to accomplish




………………………………………………………………………………………………

their duties by supporting control actions that

influence the lower level controllers. Figure

2 indicates a general control structure that

comprises of system development as well as

operation. Response is given by lower level

modules which are utilized by the controllers

in the upper level to choose the control

actions to offer in the following sequence.

(Refer Fig. 2)

The customary risk assessment techniques

are characteristically restricted to the

operation while at certain times, do not

involve the operator. Nevertheless the

sociotechnical system contributes as a

significant function in stopping accidents. As

the hierarchical control structures consist of

organizational, supervisory, industrial, and

human constituents, STPA will be easy to

examine other factors that contribute to

accidents which are not incorporated in usual

examinations. Outlining the safety control

structure for an explicit system encompasses

ascertaining the controllers/constituents and

their tasks for safety such as Aviators are

accountable for accurately performing all

directives from air traffic control and

automatic systems are accountable for

conserving process parameters in definite

boundaries. Figure 2 indicates a high-level

control structure, however all this structure is

further distinguished into a comprehensive

substructure. For instance, Figure 3 illustrates

an example control structure for the

Operating Process section of Figure 2. For

the reason that STPA is a top-down process,

control structures are demarcated at a

complex level of notion and at that juncture

improved. (Refer Fig. 3)

Lastly, process models likewise should be

drawn. The process models are employed by

the controllers to ascertain the control actions

essential to accomplish their duties. Thus, the

process models should comprise of the

relevant data required by the controller to

compel safe decisions. The safety control

structure is an influential technique to

characterize the safety design of multifaceted

systems and beneficial outcomes are

generated at the initial phase of the

investigation. Faulty process models,

intersecting accountabilities, and

contradictory control actions are evidently

significant providers of an accident. While

these factors are observed comprehensively

in the later stages of the STPA evaluation,

several glitches are discovered at in this

phase by means of a straightforward

investigation of the control structure. In case

a controller’s process model needs data

which is not given in a response, there is a




………………………………………………………………………………………………

possibility of devising a faulty design. Figure

4 illustrates a segment of the control structure

with accountabilities and process models for

a train door control system. (Refer Fig. 4)

DETECTING INSECURE CONTROL

ACTIONS (STEP 1)

All the controllers in the system are able to

dispense control actions. This phase

examines all control actions to conclude the

likelihood of the safety of an action, i.e.

instigate a system-level risk.

SIMPLE TECHNIQUE

Four categories of Unsafe Control Actions

(UCA) are likely:

A control action essential for safety is not

offered

An insecure control action is presented

that point to a risk

A possibly safe control action is given

either initially is overdue, or out of

sequence

A safe control action is ended initially or

was implemented extensively

An easier way of detecting UCA is to observe

all the control actions in the control structure

for all the possible risks from which the

aforementioned UCA of these four categories

are determined. The different risks

contemplated are the train starting the

movement with an opened door or a door

unbolts during the movement or is not lined

up with a station platform or a door shuts

when a person is passing through the door

and during emergency doors not opening.

(Refer Table 2)

To understand the severity of a UCA is risky,

it is essential to avert the assumptions such as

several risk impediments are present or are

error-free. For instance, in case of a physical

interconnection which avoids the actuator

from opening the doors of the train during

motion, it is be that as it may regarded as

risky to offer the ‘door open’ command. The

investigation is considering the risky

behavior that is a source for risk in a bad

condition such as the physical

interconnections are non-functional.

However, there exists no necessity that

insecure behavior should be causing risky

situation or an accident. In the examination

that supposes that other risk impediments are

continually functioning and ample, then no

behavior shall be deliberated to be risky.

Rather, the system components must perform

that the other risk impediments are

unnecessary. The approach for ascertaining

the UCA is easy with respect to the




………………………………………………………………………………………………

performance, and gives a perceptive mode to

share the outcomes. A more methodical

technique will be supportive in meticulously

categorizing the UCA as described in the next

section.

SYSTEMATIC METHOD

The basis of employing this technique is to

identify that a control action is not risky by

itself. For instance, the control action

opening the doors of the train may perhaps be

safe but on some occasion it may be unsafe.

To find the severity of this risk, it is

indispensible to principally classify the

background in which the action occurs.

Opening the train doors during motion is a

UCA, while the doors opening after the train

has stopped a safe control action which

depicts the right system performance. As the

process model acquires the data required by

the controller for awareness to meet the

safety requirements, the background in a

UCA will each time be disintegrated into

variables and values that emerge in the

process model or in the communication of the

data to the controller from its peripheral

location. (Refer Fig. 5)

Besides the background, there exist many

other constituents that frame a UCA. By

disintegrating UCA into numerous

components (as seen in figure 5), it is

conceivable to chiefly focus on recognizing

all the elements in the safety control structure

and at that juncture reflect on assimilating the

different components to practice UCAs.

(Refer Table 3) A sample table with type

provided is shown in table 3. The initial step

of this technique is to choose a control action

and create a background table. The first

column will specify that this table examines

the control action. The subsequent three

columns signify the process model variables

for the chosen control action. All the rows are

filled with a distinctive arrangement of

process model values. All the rows will be

analyzed to ascertain the risks of the control

action in regard to the background and the

corresponding findings are noted. For every

risk that has been determined, is an UCA that

can be chronicled in a summary table. The

subsequent step is to interpret the UCA into

safety checks. A sample table with type not

provided is depicted in (Refer Table 4).

INTERPRETING UCA INTO SAFETY

CHECKS

UCA must be interpreted to ensure that

accidents do not befall. This interpretation is

objectively upfront and typically includes

upturning the diction of the UCA. For

instance, a UCA is to command the doors to

open during the movement of the train. The




………………………………………………………………………………………………

safety check for this UCA will be to not let

the doors to open during movement. The rest

of STPA inspects the control structure to

detect the safety checks that were found

which may be defied.

DETECTING CAUSAL FACTORS

(STEP 2)

After demarcating the safety checks,

subsequently the causal factors must be

ascertained which may steer towards an

encroachment of the safety check. Figure 6

indicates the classification of causal factors

on the basis of two approaches on which

safety restraint can be disrupted:

1. The controller gives an UCA: All the

causal factors that may give rise to an

UCA should be recognized. For instance,

a UCA where a command will open the

door of the train during the movement may

be due to the errors in the process model

of the controller. The controller perhaps

supposes that the train has halted even

though the train is in movement. This error

may be because of incorrect response

obtained from a component such as a

speed indicator indicating the speed as

zero although the train is in movement.

The erroneous response from the speed

indicator probably was caused due to a

defective sensor. (Refer Fig. 6)

2. Proper control actions are given but not

pursued and all the cases should be

regarded to ascertain all the causal factors

that are headed towards violating the

safety checks: The causal factors further

should be similarly determined which will

result a violation of the safety limits despite

providing a safe control action. For the safety

limit wherein the doors should not be opened

during the movement of the train, the

evaluator must keep in mind that the door

may open despite the absence of the UCA.

This behavior is likely the outcome of the

actuator failure, by one more controller, or a

difficulty with the controlled process.

EXPENDING CAUSAL FACTORS

The causal factors are employed to prepare

the safety prerequisites for a comprehensive

improvement of the design or to generate

design structures to remove or alleviate the

causal factors heading towards risks. The

reduction of the risks will require no

improvement. In the case of a subsisting

design, the causal factors that were

determined for this design must be properly

controlled. In such situations, interlocks must

be contemplated. Frequently occurring

failures which perhaps are common will be

known of the causal factors are known.




………………………………………………………………………………………………

ITERATING THROUGH THE SAFETY

CONTROL STRUCTURE

The STPA process is mostly utilized initially

at a high-level by means of a multifaceted

control structure with intangible control

actions and response channels. Considering a

control structure could signify a flight staff as

a single controller with multifaceted control

actions such as execute maneuver and abort

maneuver. A multipart software system may

possibly be exemplified by a single controller

regarded as engine controller with

rudimentary control actions such as increase

power and decrease power. After the

evaluation of all the controllers at a

theoretical level, a highly comprehensive

control structure can be created to examine

the lower-level design information. All the

steps of the STPA process should be operated

in an iterative, top-down manner to improve

the safety limitations as required. If the risks

are reduced, more improvement is not

required as the amount of improvement

required is essential for alleviation processes

to be explicit to the concerns.

CASE STUDY

The case study for this research includes

implementing STPA to a standard type of an

Evolutionary Power Reactor (EPR), which is

a Pressurized Water Reactor (PWR). The

EPR reactor is completely digital wherein the

control systems together with the Reactor

Protection System, are also digital. The

evaluation emphases on a sub-set of the NPP

system—the systems implicated in finishing

the Main Steam Isolation Valve (MSIV)

which can be executed for the remaining

system. The coolant in a PWR when

functioning normally transmits the heat from

the reactor to the steam generator (SG), a

radioactive, which comprises of water to cool

off the primary coolant and disperses the

water into steam. The SG ideally averts the

water from merging with the coolant and the

steam journeys to the turbine that is coupled

with a generator for power generation. The

steam is cooled in the condenser and

propelled back into the SG to re-instigate the

cycle. The loop made by the SG, turbine, and

condenser is called the secondary cooling

system. A general illustration of a PWR is

presented in (Refer Fig. 7).

A controller placed on the principal steam

line is MSIV which is left exposed to allow

cooling of the major cooling system by

means of a secondary system. If there is a

strange circumstance, the MSIV will be shut

to detach the SG from the remnants of the

secondary system. MSIV shutting is

obligatory in the event of a breakdown in the




………………………………………………………………………………………………

principal feed-water pipe which enables

water to outflow. The shutting of the MSIV

averts the secondary system from amply

cooling the primary system and redundant

systems are offered in order to cool the

primary coolant. Such systems include

additional SGs, turbine bypass valves, main

steam relief isolation valves (MSRIV) and

main steam relief control valves (MSRCV),

safety relief valves (SRV), the Chemical

Volume Control System (CVCS), and the

Emergency Core Cooling System (ECCS).

Further these systems are encompassed in the

investigation until they influence the result to

shut the MSIV down. The evaluation of

STPA that is being pursued, initiates with the

detection of the accidents, risks and control

structure for the general system. The left over

steps center on the systems associated with

the shutting of the MSIV.

ACCIDENTS

In the detection of accidents such as radiation

exposure, explosion, or any other

mechanism, which is the foremost action is

significant as accidents generally include

damage to human life and thus such damages

should be averted. The damage caused to the

people of which the severity is the loss of life,

comprises of the workforce as well as the

overall inhabitants. Furthermore, the

accidents that effect the environment such as

radiation and detrimental discharge of toxics

to the air, ground, and groundwater damage

the environment to a greater extent. Next is

the damage of the equipment that denotes the

financial shortfall linked with destruction and

impairment to the equipment and machinery

used irrespective of the radiation discharged.

Lastly the cost of electrical power generation

takes in the inadvertent halt of the plant.

Table 5 presents the system-level accidents

that are examined in this study. (Refer Table

5)

Significances are allocated since all accidents

may not be vital. Moreover, all the accidents

cannot happen at the same time, and indeed it

is conceivable to know that all the

aforementioned damages may ensue at the

same time. To conclude, financial damage

including the equipment damage and the cost

of electrical power generation could not be of

fast response particularly in a licensing

review or a customary safety examination,

then it is definitely a matter for the efficacy.

The STPA model may possibly be employed

in case of any category of damage which

seems imperative during the evaluation.

Including the diverse categories of damages,

like the operation or financial damages, will

let enhanced decision making pertaining to




………………………………………………………………………………………………

accomplishing manifold necessities as well

as support in recognizing and formulating

balances between contradictory objectives.

SYSTEM RISKS

After the delineation of the system accidents,

the risks will be recognized as shown in Table

6 which reviews the risks that are

encompassed in the evaluation and the

accidents associated with them. (Refer Table

6) The first risk is concerning the discharge

of toxic materials that may affect the

periphery of the primary system, irrespective

of magnitude, and the corresponding

discharge into the secondary cooling system,

groundwater, and air which is internal or

external to the control structure. The

discharges must be regulated to avert the

people and the nature to come into contact.

The next risk may possibly be a precarious

circumstance which leads to system-level

accidents or A-1 and A-2 accidents. Despite

the fact that this risk might occur devoid of

an accident, it is detrimental and hence

requires controlling. The third risk

encompasses of operation further than the

safety parameters that bases reactor damage

and operation past design parameters that

lead to damage of the equipment. The last

risk involves an unintentional halt which

leads to the loss of electrical power

generation.

SAFETY CONTROL STRUCTURE

The advanced safety control structure

established for this research is depicted in

Figure 8. The constituents within the dashed

red box regulate the shutting of the MSIV.

They are examined comprehensively for the

rest of the case study. Figure 9 illustrates a

highly broad control structure for the systems

underlined in the dashed box. The dotted

green arrow signifies the interaction between

the MSIV controllers and other controllers.

As seen in the figure, the Protection System

(PS) links the Safety Control System (SCS)

with the purpose of starting the Engineering

Safety Features (ESF) controls subsequent to

the ESF actuation. The Reactor Controls

(RC) controller similarly interacts with Non-

Safety System Controller (NSSC) so that the

command signals for actuators used in RC

tasks except control rods are offered, like the

BMC (Boron and Makeup Control)

components for Boron control. (Refer Fig. 8)

The controllers that will deliver a control

action to shut the MSIV are the Operator, the

NSSC, the PS, and the Diverse Automation

System (DAS). The controllers direct control

actions to the MSIV Priority Module (PM)

that makes use of a pre-programmed




………………………………………………………………………………………………

precedence condition to ascertain the control

actions which will pass on to the MSIV

actuator. In the event of detection of a

necessity to shut the MSIV, the operator may

dispense a ‘Close MSIV’ command to the

PM. The PM regulates the controller which is

responsible as per the precedence, and passes

on the commands straight to the MSIV

actuator. Since NSSC offers a manual control

for the MSIV, hence the operator also

dispenses the close command to it. (Refer

Fig. 9)

When in such circumstances, the NSSC will

generally passes on the close command to the

PM that will eventually pass it on to the

MSIV actuator. Since the PS is automatic, a

Close MSIV command is essential. Lastly,

the DAS which is a substitute system for

safety can be employed in case of an issue

with the PS. The DAS will send a Close

MSIV command to the PM that will pass on

the command to the MSIV actuator.

A sensor is required to give a response

pertaining to the MSIV status right to the PM.

However the sensor is not necessarily sensing

the process variables including pressure,

temperature, or steam flux. In its place, the

sensor senses the torque that was used in the

valve to ascertain the status of the valve. The

PM gets this response and further gives the

authorization to the controller that initially

demanded the shutting of the MSIV.

However, there are several process sensors

that state process variables to the controllers

such as pressures, SG water level, and the

operation of substitutes. Then each of these is

utilized by the controllers to ascertain

shutting of the MSIV. The controllers have

the below duties:

OPERATOR

Authenticate or impede permissive.

The plant must be brought to a controlled

stoppage for fear of Anticipated

Operational Occurrence (AOO) or

Postulated Accidents (PA), for instance

outflow from primary into the secondary

loop.

Start the safety engineering features

(ESF)

Commence the main steam line seclusion

whenever required

Observe the parameters that will

accentuate the irregularities or tendencies

Activate the plant in startup




………………………………………………………………………………………………

Work the plant when there is automated

stoppage

Intercede in line with the inscribed

instructions during an emergency

PS - PROTECTION SYSTEM

The plant must be brought to a controlled

stoppage for fear of Anticipated

Operational Occurrence (AOO) or

Postulated Accidents (PA), for instance

outflow from primary into the secondary

loop

Start the safety engineering features

(ESF)

Commence the main steam line seclusion

whenever required

DAS - DIVERSE AUTOMATION

SYSTEM

Similar to PS. DAS is a substitute for PS.

NSSC - NON-SAFETY SYSTEM

CONTROLLER:

Forwarding the open/close MSIV

command to PM on obtaining the

command

In case of obtaining the response from

PM, the same must be sent to the

Operator

PM - PRIORITY MODULE

Provide access to control commands in

line with the precedence PS > DAS >

SCS > Operator > NSSC

Pass the commands to MSIV actuator

Pass the response from MSIV actuator to

the active controller

Make sure that checkback command is

obtained when MSIV is shut

Verify for issues with MSIV actuator

functionality

PROCESS MODEL VARIABLES

The controllers that require detailed

information to choose the control actions

obtain assistance from the process model

variables. Each process model variable

perhaps will be related to the corresponding

control action. For closing the MSIV, the

objective of the MSIV must be delineated.

MSIV continues to be open when the plant

functions in the usual manner and controls

only some of the irregular cases. The

pertinent irregularities are a consequence of

the risks and the depiction given below:




………………………………………………………………………………………………

Steam generator tube rupture—it results

in an unrestrained SG level upsurge and

will discharge polluted liquid into the

secondary system

Steam system piping leak—it results in

depressurization of the SG that further

leads to overcooling transient and

energy discharge into containment

Feedwater system piping leak—it causes

depressurization of the SG as above.

Despite the fact that these circumstances can

be instigated by physical malfunctions, the

last two are be produced by design errors and

insecure commands in another place in the

system. For instance, a leakage in the main

steam line may possibly be produced by a

physical error or the main steam relief valves

are left open accidentally at the wrong time.

In these situations the shutting of MSIV is

necessary in order to avert the

depressurization and an overcooling transient

until the problem can be overcome. Besides

vindicating the situations abovementioned,

the MSIV likewise controls the heat

exchange which ensues inside the SG. Prior

to closing the SG, several systems are

required to be involved in delivering ample

cooling. Hence, there is a necessity to know

in detail regarding the cooling that is offered

by other systems so that the MSIV can be

shut accordingly.

UNSAFE CONTROL ACTIONS

While bearing in mind the ability of control

action to be insecure, it is highly essential to

avert the conjecture that other protection

fences are undamaged and are apt, ample and

there are no errors. For instance, if the

emergency feedwater system must offer the

required cooling in case a relief valve was

accidently opened, it is risky to

unintentionally command the relief valve

open. Such actions are necessitated to be

encompassed in the investigation and

prohibited irrespective of other protective

systems that are anticipated to alleviate

precarious behavior. Table 7 abridges the

UCA recognized for the command Close

MSIV. A controller and control action were

designated foremost in this process. The

operator and the control action Close MSIV

were investigated principally while the

findings pertain to other controllers in the

system as well. A background table was then

fabricated for the control action by means of

the conforming process model variables that

were distinctive earlier. Table 8 shows the

background table for Close MSIV provided.

(Refer Table 7)




………………………………………………………………………………………………

In the Table 8, the first column describes the

control action that will be examined and the

columns 2 to 5 relate to the process model

variables that were detected previously.

Column 6 postulates the backgrounds in

which it is risky to provide the Close MSIV

control action. For instance, row 1 refers to a

condition wherein there is a risk in closing the

MSIV i.e. if there are no SG tube ruptures, no

main feedwater pipe leakages, and no main

steam line leakages. Closing the MSIV will

trigger H-4 – reactor shut down. In case other

systems do not form the extra heat exchange

that is necessary, shutting the MSIV may

instigate a damage of the required cooling

(H-2 in row 9, column 6).

If other systems are able to generate the extra

cooling in the times of a rupture/leakage,

closing the MSIV is not dangerous (rows 2-

8, column 6) and a reactor closure is

instigated despite MSIV actions. On the

contrary, closing the MSIV may produce

other threats (rows 10-16, column 6) together

with disproportionate temperature upsurge

(H-2), discharge of radioactive materials (H-

1), an instantaneous reactor closure or

SCRAM (H-4) if not previously generated,

and added equipment loss (H-3). Contingent

on the category of rupture, it may essentially

be safer to leave the MSIV open to control the

temperature of the reactor (H-2) albeit that

will allow certain radioactive steam to be

brought together into the secondary system

(H-1). (Refer Table 8)

The last two columns in the table make

allowance for timing information. In case a

rupture/leakage exists and other systems are

sufficient, then it is not dangerous to close the

MSIV (rows 2-8). Conversely, if the MSIV is

closed belatedly then it is dangerous. In the

event of steam generator tube rupture, large

amounts of radioactive coolant possibly will

be by this time discharged into the secondary

system and the environment (H-1). If there is

a leakage in steam line, disproportionate

steam will be discharged that affects cooling

(H-2). If the steam line or feedwater pipe has

a leakage, the SG will be desiccated and there

may be equipment loss (H-3). However,

shutting the MSIV ahead of time too will be

dangerous in specific circumstances. For

instance, in the event of rupture of the steam

generator tube, the SG pressure must be

reduced afore the shutting of the MSIV. Else,

if the MSIV is shut in advance after a SG tube

rupture, then the SG pressure and

temperature will rise and possibly will result

in the loss of equipment to the SG, SG piping,

or other systems (H-3).




………………………………………………………………………………………………

The circumstances that are expended to

describe UCA may not be the same as

contexts that are inherently unsafe. The tables

in this section are used to examine controller

behavior and control actions in many

conditions, not to examine the circumstances

that are dangerous by themselves. For

instance, row 1 column 6 of Table 8 is

indicated as dangerous as the control action

Close MSIV will lead to an accident if

offered in such situations, despite the fact the

circumstance by itself i.e. without any

ruptures/leaks does not designate anything as

precarious. Contrariwise, the background in

row 2 entitles a steam generator tube rupture,

however column 6 is not labeled as

dangerous as closing the MSIV is not a

dangerous behavior in that circumstance.

Indeed, closing the MSIV is unerringly must

ensue in that circumstances to avert an

accident.

While as long as a control action can be

dangerous, not offering a control action can

be correspondingly dangerous. Table 9

indicates the background table for not

providing the Close MSIV control action.

Equally as discussed formerly, a reactor

closure must be commenced for every

rupture irrespective of the MSIV control

action. Nonetheless, for the reason that these

tables are employed to classify UCA, only

risks that are influenced by a nonexistent

Close MSIV control action are itemized at

this period of the examination.

In the event of no rupture/leak, leaving the

MSIV open is not dangerous (rows 1 and 9).

On the contrary, if there is a rupture/leak,

diverse risks may be faced contingent on the

segment of the system impacted. In case the

SG tube is ruptured and the MSIV is not

closed, radioactive material will be on the

loose into the secondary system (H-1) and the

SG water level possibly will rise

irrepressibly. An unrelenting discharge of

primary coolant will cut the efficacy of the

primary cooling system (H-2), and the

discharge of radioactive material into the

secondary system could produce equipment

loss (H-3). Uncertainty of the main steam line

for a leakage and the MSIV is kept open,

undue steam can be on the rampage

instigating an overcooling transient and

overcompensation by other systems to upturn

reactivity (H-2). Too much steam discharge

can likewise drop the SG water level,

triggering possible equipment loss if the SG

is desiccated (H-3). In case of leakage of the

main feedwater pipe and the MSIV is open,

the SG can be depressurized affecting an




………………………………………………………………………………………………

overcooling transient and water level might

fall, heading to H-2 and H-3. (Refer Table 9)

In a circumstance where there is a SG tube

rupture, leaving the MSIV open will trigger

besides equipment loss, instantaneous

closure (H-4) by means of SCRAM and can

rise the quantity of time the plant probably

requires continuing to be closed for

maintenances. The overloading of the SG

might let the water to come in the steam lines,

injuring the fragile turbine pallets and

demanding large amount of time for

mending. Moreover equipment could be

burdened and need extra comprehensive

checkups in advance of the plant to be

functional for a second time. The surplus

pollution might too need extra time to

fumigate and subsequently produces more

waste. Since leaving the MSIV open

throughout a SG tube rupture may affect into

an austere and extended closure than could

actually arise with a controlled SG tube

rupture, H-4 is encompassed in Table 9 for

such circumstances. H-4 is not recorded for

other situations as it is presumed that leaving

the MSIV open after a leakage in the main

steamline or main feedwater pipe may not

produce such a closure than if the MSIV is

closed, while it does influence other dangers

indicated.

Perceive the objective of studying the tables,

the motivation for all the “hazardous” vs.

“not hazardous” judgments ought to be

recognized in the examination. Indeed, the

background tables are helpful in

substantiating that the essential justifications

and conventions are recognized, as

contrasting the ad-hoc documentation of

dangerous control actions that possibly will

instantaneously reduce and overlook safe

control actions completely. Undeniably, the

safe rows can simply be skipped from the

tables, though, recording the inferences

concerning the dangerous behavior will be

imperative for recording the behavior that is

anticipated to be safe. Such records could be

particularly essential for other enduring

project aims similar to future change

management undertakings, design reuse in

fresh settings, and other deliberations that

ascend in the future in the system life cycle.

Contrasting the Tables 8 and 9, there exist

clashes that need to be settled. In both tables,

rows 10 to 16 are graded as hazardous. In

these circumstances it is dangerous to shut

the MSIV, but also it is dangerous to leave it

open. In certain circumstances, it is

conceivable to reconsider the design to

remove the clash and offer a protected choice.

In case it is not possible to settle the clash, a




………………………………………………………………………………………………

choice should be finalized concerning the

action that is essential in such environments.

The option which may evidently be less

dangerous will be selected. In this research,

subsequent to discussion with nuclear

engineers and regulators, the rows 10 to 16

were said to be unexamined in the

investigations held earlier in regard to MSIV

control. However, the agreement was to

accept that it is better to leave the MSIV open

in the circumstance of row 10 to make the

most of the expanse of cooling, while this

will pollute the secondary cooling system and

sooner or later necessitate expensive

upkeeps. Rows 11-16, contrariwise include

leakages in the pipe providing water to the

steam generator and the line that transmits

steam away. In case the MSIV is not closed

in such conditions, the water quantity in the

steam generator will drop and in due course

indicate low cooling ability or an overcooling

transient. Hence, in such conditions (rows

11-16), it was anticipated that it is better to

leave the MSIV closed to get the most out of

the expanse of cooling even if it is a

momentary resolution. These elucidations

were unearthed to contrast from present

designs of MSIV controllers that do not

undertake on the basis of the condition of

other systems and might inevitably close the

MSIV in the course of a rupture.

The above conventions ought to be appraised

and assessed prudently by the area

connoisseurs. The principle of this case study

was to design and implement an assessment

of the accidents that can reveal dangerous

control and be responsible for the safety-

critical problems which should be reflected.

The Tables 8 and 9 utilize multifaceted

backgrounds; the investigation likewise

should be implemented comprehensively.

During such circumstances, there are other

control actions that must occur externally to

the MSIV control loop and hence they should

also be examined in the same manner.

Furthermore, attempts must be made to avert

several circumstances from occurring.

Granting such extra exertions were far from

the possibility of the case study, they are

stated to indicate splitting of the investigation

into other areas of the system to report the

concerns recognized.

SAFETY CONSTRAINTS

All the UCA from Table 7 can be transformed

into safety constraints as depicted below in

(Refer Table 10).

CAUSAL FACTORS

As defined in Section 2.6, there are two

options that a safety limitation can be

disrupted:




………………………………………………………………………………………………

The controller offers a UCA

Suitable control actions are offered but

not pursued

The underlying factors shown in Figure 6 are

used for the investigation in this case study.

The subsequent segments examine the two

cases for the Operator, DAS, and PS.

OPERATOR CAUSAL FACTORS

Factors heading to Operator UCA: Here

the fundamental factors that instigate to UCA

are described (Table 10). (Refer Fig. 10)

UCA 1: Close MSIV command was not

offered at the time of a leakage (rupture in the

SG tube, link in main feedwater, or leakage

in main stream line) and the support systems

were sufficient.

SECONDARY COOLING SYSTEM

(CVCS OR EMERGENCY FEED

WATER SYSTEM)

Parallel circumstances conceal other

circumstances. For instance, a feed water

issue possibly will occur happen

corresponding with a SGTR, instigating

the SG water level to be in steady mode.

Conditions that entail MSIV closure are

concealed. For instance, NSSC involves

PZR heaters to put together for the

damage of RCS pressure throughout the

operation of SGTR.

The developments of the occurrence are

time-consuming

PROCESS FEEDBACK

SG level feedback lost, overdue, or

unfitting

SG Pressure is not true or deferred

Steam generator water level is overdue or

improper

Main steam line not given the right

indication

Inconsistent data specifies an incorrect

condition

Voting system does not function right and

offers incorrect evaluation

No sign of fractional cool down

commenced

Botches in sensors, communication lines,

or power

PM reports both MSIV actuators as not

workable even when they are

PM reports MSIV already being closed,

when it is not




………………………………………………………………………………………………

NSSC reported as functional when it is

not

OUTSIDE INFORMATION

PZR pressure overdue or lost

PZR level wrongly shown as normal

No warning for SI introduced

Belated sign of SI is instigated

Unsuitable permissive operational

Erroneous amalgamation of pointers

from the 4 partitions

OPERATOR

Operator assumes that the Steam

Generator is not damaged when it is

Operator assumes the main steam line has

no outflow when there is

Operator assumes the main feedwater has

no leakage when there is

Operator disordered concerning the

method to be used

Operator bemused due to inconsistent

pointers

Operator disinclined to close the reactor,

uncertain if closure is essential and

reasonable

Operator in stress not to falter the reactor

Operator pauses for the PS to deal with

the condition

Operator is unaware of the difficulty

attributed to insufficient response

Operator is not attentive because NSSC is

broken or providing scanty information

Operator closes the wrong valve

Operator identifies the rupture/leakage

but assumes that other systems are scarce,

and leaves MSIV open to sustain ample

cooling capability.

Operator indefinite about a

rupture/leakage

Operator assumes that NSSC is

functioning when it is not

UCA 2: Close MSIV command not provided

when there is a main feedwater or main steam

line leakage and other systems are scarce.


(CVCS OR EMERGENCY

FEEDWATER SYSTEM)




………………………………………………………………………………………………

Contemporaneous circumstances conceal

others

Circumstances that need MSIV closure is

concealed

The development of the occurrences are

time-consuming

PROCESS FEEDBACK

SG level response lost, overdue, or

inappropriate

SG Pressure are incorrect or overdue

Steam generator water level overdue or

inappropriate

Contradictory data signifying an

incorrect circumstance

Voting system does not function correctly

and provides erroneous measures

No sign of partial cool down instigated


or power

PM describes MSIV actuators as

unworkable even when they are

PM describes MSIV at present closed,

when it is not

NSSC describes as working when it is not

OUTSIDE INFORMATION


PZR level erroneously specified as

normal

No sign of SI started

Overdue sign of SI started

Unsuitable permissive working

Incorrect amalgamation of pointers from

the 4 divisions

OPERATOR

Operator assumes that the main steam

line has no leakage when there is a

leakage

Operator assumes that the main feedwater

has no leakage when there is a leakage

Operator assumes that the SGTR does not

need MSIV shutting when there is really

a main steam line or main feedwater

leakage that entails the shutting of MSIV

Operator disordered concerning the

method to be used




………………………………………………………………………………………………

Operator disordered due to clashing

pointers

Operator averse to close the reactor,

uncertain if closure is essential or

reasonable

Operator in stress to not to trip reactor

Operator pauses for the PS to deal with

the circumstances

Operator is unaware of the issues

attributed to scarce response

Operator is unaware as NSSC is defective

or giving insufficient data

Operator closes the incorrect valve

Operator identifies the rupture/leakage

but since other systems are insufficient,

leaves MSIV open to sustain ample

cooling ability.

Operator uncertain whether a

rupture/leakage is present

Operator assumes that the NSSC is

functional when it is not

UCA 3: Close MSIV provided when there is

SGTR but other systems are insufficient


A simultaneous condition can conceal

another, other support systems may seem

to be sufficient and automatic systems

could intensify the condition.

Loss of power

PROCESS FEEDBACK

SG level response is not given, overdue

or wrong

SG Pressure are incorrect, overdue or lost

Steam generator water level incorrect,

overdue or lost



Voting system does not function correctly

and provides erroneous actions


or power

OUTSIDE INFORMATION


the 4 divisions


Incorrect signal SI started

OPERATOR




………………………………………………………………………………………………

Operator assumes that other systems are

operating when they are not

Operator assumes that there is a main

steam line or feedwater leakage when

there is really an SGTR

Operator discerns that the support

systems are functioning, however does

not comprehend they are scarce

Operator muddled concerning the method

which will be used

Operator does not understand other

support systems are not functioning

Operator muddled due to contradictory

pointer

UCA 4: Close MSIV provided too early

(while SG pressure is high)


A simultaneous circumstance can conceal

other

The development of the occurrence is

time-consuming

Actuation of NSSC might obscure

Operator

PROCESS FEEDBACK

SG level response not given

SG Pressure is incorrect

Steam generator water level not properly

specified

Main steam line activity incorrectly

specified



Voting system operates incorrectly and

provides incorrect actions

Sensors failure

OUTSIDE INFORMATION

PZR pressure overdue

PZR response lost

Wrong response specifies PZR level is

normal


No sign of fractional cool down started

Permissive incorrectly in effect


the 4 divisions

OPERATOR




………………………………………………………………………………………………

Operator assumed that it is now safe

to start action subsequent to the signs

to approve SGTR

Operator assumes that it is now safe

to start action subsequent to signs to

approve Main steam line break

Operator assumes that it is now safe

to start action subsequent to signs to

authorize main feedwater break

Operator muddled concerning the

method to be used

Operator muddled due to the

contradictory pointers

UCA 5: Close MSIV command provided too

late after rupture/leak (in the SG tube, main

feedwater, or main steam line)


A simultaneous condition may conceal

other


time consuming

Actuation of NSSC will disorder the

Operator

PROCESS FEEDBACK



Steam generator water level overdue


specified or overdue

Contradictory data representing a wrong

condition

Voting system works inappropriately

giving incorrect measures

Sensor failure

PM describes MSIV actuators as not

functional when they are

PM describes MSIV as now closed, when

it is not

NSSC describes as functional when it is

not

OUTSIDE INFORMATION


PZR response lost

Wrong response designates PZR level is

normal

No sign or overdue signal of SI started




………………………………………………………………………………………………

No sign or overdue signal of fractional

cool down started


Erroneous grouping of pointers from the

4 divisions

Screen is blank or frozen/NSSC or PS

gives no response

OPERATOR

Operator assumes it is insecure to start

the action after SGTR is verified

Operator considers it is insecure to start

action after main steam line leakage is

established

Operator considers it is insecure to start

action subsequent to the authorization of

the main feedwater leakage

Operator muddled regarding the method

to be used

Operator muddled due to contradictory

pointers

Operator averse about shutting down the

reactor

Operator stressed for not tripping the

reactor

Operator has a clash amid being

conventional with ambiguity of SGTR,

or to work that is anticipated, viz. to

delay for the automatic system to clear

the problem

Operator delays for the PS to deal with

the circumstances and does not act in

time


no rupture/leakage


Feed water supply pumps inoperable

Condenser leaking

Excessive mud in water

Items in water that can weaken fluidity

to Seaborgium

Bogus opening of relief valves

PROCESS FEEDBACK


SG Pressure truncated

Steam generator water level overdue or

inappropriate

Incorrect SG seclusion indication




………………………………………………………………………………………………

Main steam line activity

Contradictory data signifying a wrong

circumstance where close valve would be

desirable

Voting system functions inappropriately


Sensor Failure

OUTSIDE INFORMATION

PZR pressure sign overdue

PZR response lost

Wrong PZR pressure response

Wrong response displays PZR level as

truncated

Wrong indication of start of SI

Incorrect Fractional cool down started

indication

Startup/shutdown not documented

Incorrect grouping of pointers from the 4

divisions

OPERATOR

Operator assumes that Steam Generator

Tubes are ruptured when they are not

Operator assumes that the main steam

line has a leakage when it does not

Operator assumes that the main feedwater

has a leakage when it does not

Operator muddled concerning the

methods to be used

Operator muddled for the reason that of

contradictory pointers

Blank screen brings operator to consider

circumstances to be diverse

Incorrect warning of radiation

Close wrong valve, other SG

CAUSAL FACTORS LEADING TO AN

OPERATOR CONTROL ACTION NOT

BEING FOLLOWED

Besides recognizing the reason for providing

UCAs, it is significant to examine the way the

safe control actions are used. This section

classifies the violations of the safety

constraints despite safe control actions are

offered. Figure 11 depicts areas of the control

loop in which more amounts of causal factors

can be directed to a damage of Safety

Constraints 1 to 6. (Refer Fig. 11)

SC 1: MSIV need to be closed when a

leakage is detected (rupture in the SG tube,




………………………………………………………………………………………………

leak in main feed water, or leak in main steam

line) and the support systems are ample.

SC 2: MSIV should be closed when there is

a main feedwater or main steam line leakage

and other support systems are insufficient.

Basic Scenario: Operator provides Close

MSIV command, but MSIV does NOT close

NSSC

Physical damage/failure

Does not identify operator command

Manufacturing faults

Insufficient process

Deficit of electric power

PM

Incorrect precedence set that instigated

the PM to overlook the close command

Does not distinguish PS or manual

command


Improper Functioning of Multiplex

circuit

An operation (for example checking

status of MSIV actuators) is time

consuming and PM overlooks new

commands

Two contradictory commands arise

simultaneously, from different

controllers: the first one with lesser

priority than the second one.

PM beforehand obtained interlock

command from PS or other controller

initiating PM to overlook operator

commands to close MSIV

Contradictory commands are sent

(operator/PS, PS/DAS, etc.)



MSIV SENSOR

States that the device is functional when

it is not

States the valve position as open when it

is not


Manufacturing flaws





………………………………………………………………………………………………

MSIV ACTUATOR

If there is inaccessibility of the oil pump

and the MSIV is by this time open, then it

inevitably stays open for a specific

duration

Mechanical failure in the dump valves,

avoiding the oil from reaching the tank

Remains or residues stop the valve from

being closed

The nitrogen pressure in the upper

chamber is not sufficient to close the

valve that was not documented

consequently

Upper chamber is in repair to reinstate

pressure

Dump valves are inoperable because of

mechanical failures


Manufacturing flaws


MSIV

The pressure in the lower chamber does

not descent

The gate of the valve is jammed and does

not move

Upper has less pressure that makes a

vacuum stopping the piston from moving

The upper chamber pressure is not

sufficient to drive the piston

Remains or residues in the valve avert it

from closing


Manufacturing flaws

SAFETY CONSTRAINTS 3-6:

SC 3: MSIV must not be closed when there

is a SGTR and care systems are lacking

SC 4: MSIV must not be closed ahead of time

when SG pressure is excessively high

SC 5: MSIV must not be closed belatedly

after rupture/leakage (in the SG tube, main



is no rupture/leakage

Basic Scenario: Operator does not provide

Close MSIV command, but MSIV closes

NSSC




………………………………………………………………………………………………


Certain fault in NSSC process

NSSC has manufacturing flaw

Manufacturing flaws


Insufficient algorithm

PM

PM controls the execution of command

requests by reason of interlock dispensed

by PS. This reasons suspending a new

command

Incorrect precedence set

Does not identify PS or manual command


Improper functioning of Multiplex circuit

Inconsistent commands are sent

Manufacturing flaws


MSIV SENSOR

Describes the device as inoperable when

it is

Displays valve position as closed when it

is open or only partially closed


Manufacturing flaws

MSIV ACTUATOR

The oil pump might have mechanical

difficulties that instigate the valve to

typically be kept open, producing

postponement

The guides are de-energized, then the

dump valve opens which closes the valve

in advance

Automated Dump valve failure

Mechanical failure dumps the hydraulic

oil from lower chamber and closes valve

Closure Test produces it to be

unintentionally closed

Physical process failure

Manufacturing flaws


MSIV

Leakage in the upper chamber makes

pressure to be inadequate to close the




………………………………………………………………………………………………

valve at the correct time, therefore there

is deferral

To keep the valve open, a disparity is set

up amid the required pressure, in the oil

chamber, and the tangible pressure

employed that will affect the oil pressure

to be insufficient for keeping it open

A disparity amid the least pressure in the

nitrogen chamber essential to close the

valve will affect the pressure that was

applied which will be is higher than the

required pressure applied which might

not let the valve to be opened


Manufacturing flaws

DAS CAUSAL FACTORS

UCA 1: Close MSIV not provided when

there is a leakage (rupture in the SG tube, leak

in main feedwater, or leak in main steam line)

and the support systems are sufficient


(CVCS OR EMERGENCY

FEEDWATER SYSTEM)

A simultaneous circumstance that can

conceal the other


time consuming

Actuation of CVCS can be a replacement

for the damage of coolant inventory

making DAS delay actuation

PROCESS FEEDBACK

SG level response lost, overdue or

inappropriate (Refer Fig. 12)

SG Pressure incorrect



designated


condition

Voting system does functions

inappropriately providing incorrect

measures

No sign of incomplete cool down started

Sensor failure

OUTSIDE INFORMATION

PZR pressure deferred

PZR response lost




………………………………………………………………………………………………

Incorrect response designates PZR level

is normal


Deferred sign of SI started

Permissive erroneously in effect


divisions

DAS- DIVERSE ACTUATION SYSTEM

DAS does not know when the Steam

Generator is ruptured

DAS does not know when the main steam

line has a leakage

DAS does not know when the main

feedwater has a leakage

DAS does not know that PS is faulty or

obsolete and does not take control

DAS has no power provided

DAS uses improper algorithm

DAS has incorrect process model


Manufacturing flaws



there is a main feedwater or main steam line

leakage and other support systems are

insufficient


(CVCS OR EMERGENCY

FEEDWATER SYSTEM)

A parallel condition can conceal the other

The development of occurrences is time

consuming

Actuation of CVCS is a replacement of

the damage to the coolant inventory

making DAS delay actuation.

PROCESS FEEDBACK


improper




condition

Voting system functions incorrectly





………………………………………………………………………………………………


Sensor failure

OUTSIDE INFORMATION


PZR response lost


normal

No sign of SI introduced

Deferred sign of SI introduced



divisions

DAS- DIVERSE ACTUATION SYSTEM

DAS does not recognize the main steam

line has a leak

DAS does not recognize the main

feedwater has a leak

DAS incorrectly believes problem is

SGTR when there is actually a main

steam line or main feedwater leak

DAS does not know that PS is broken or

obsolete and does not take control

DAS has no power supplied

DAS uses a faulty algorithm

DAS has erroneous process model


Manufacturing flaws

Electric power deficit


a SGTR but support systems are scarce


A simultaneous condition will conceal

the other and other support systems will

seem sufficient

PROCESS FEEDBACK



Steam generator water level incorrect

Contradictory data demonstrating a

wrong condition

Voting system works incorrectly giving

incorrect measures

Sensor failure




………………………………………………………………………………………………

OUTSIDE INFORMATION


divisions


Wrong sign SI started

DAS - DIVERSE ACTUATION SYSTEM

DAS does not know that the support

systems are inoperable because of

contrasting information

DAS erroneously considers the issue with

the main steam line leakage or feedwater

leakage when it is really SGTR

DAS has an insufficient process

DAS closes the valve when the other SG

valves are in upkeep


Manufacturing flaws

UCA 4: Close MSIV provided in advance



A synchronized condition can conceal the

other


time consuming

Actuation of CVCS is a replacement of

the damage to the coolant inventory

making DAS delay actuation

PROCESS FEEDBACK

SG level response not specified




shown

Contradictory data representing an


Voting system works inappropriately


Sensor failure

OUTSIDE INFORMATION


PZR response lost

Incorrect response specifies PZR level is

normal





………………………………………………………………………………………………




divisions

DAS - DIVERSE ACTUATION SYSTEM

DAS has contradictory data

demonstrating it is by this time safe to

start action after signs authorize

rupture/leakage


Manufacturing flaws

DAS has a poor algorithm

DAS has erroneous process model

UCA 5: Close MSIV command provided

belatedly after rupture/leakage (in the SG

tube, main feedwater, or main steam line)


A simultaneous condition that will

conceal the other

the development of the occurrence is time

consuming

Actuation of CVCS is an alternate to the

damage caused to the coolant inventory

making DAS delay actuation.

PROCESS FEEDBACK



Steam generator water level postponed


designated

Contradictory data demonstrating an

incorrect condition

Voting system will function unsuitably


Sensor failure

OUTSIDE INFORMATION


PZR response lost

Wrong response designates PZR level is

normal






………………………………………………………………………………………………



divisions

DAS - Diverse Actuation System

DAS does not know the actual condition

up until it is belated after SGTR


up until it is belated subsequent to the

main steam line leakage


up until it is belated subsequent to the

main feedwater leak age

DAS has an improper algorithm

DAS has an incorrect process model


Manufacturing flaws


Causal Factors Leading to DAS Control

Actions Not Being Followed (Refer Fig. 13)

SC 1: MSIV must be closed during leakage

(rupture in the SG tube, leak in main

feedwater, or leak in main steam line) and the

support systems are sufficient.

SC 2: MSIV must be closed during a main

feedwater or main steam line leakage and

other support systems are scarce.

Basic Scenario: DAS gives Close MSIV

command, but MSIV does NOT close

PRIORITY MODULE

Incorrect precedence set instigating PM

to overlook the close command

Does not identify DAS command


Faulty Multiplex

Certain functionalities expend more time

than required and PM overlooks the new

commands

Two contrasting action commands arise

simultaneously from dissimilar

controllers: the first one with less

precedence than the second one

PM had obtained an interlock command

from PS; however PS goes down right

subsequently hence PM pauses to obtain

new commands and does not take new

commands






………………………………………………………………………………………………

Manufacturing flaws


MSIV SENSOR

Describes if the device is functioning

when it is not

Describes the valve position as open

when it is not

MSIV ACTUATOR


and in case the MSIV is already open,

then it automatically stays open for some

time

Mechanical failure in the dump valves,

averting the oil from pending to the tank

The residue or remains avert the valve to

be closed


chamber, is inadequate to close the valve

that was not described earlier

Upper chamber is in upkeep to reinstate

pressure

Dump valves remain closed attributed to

mechanical failures


Manufacturing flaws


MSIV VALVE

Leakage in the upper chamber creates

pressure but it is inadequate to close the

valve at the correct time, therefore there

is postponement

An incongruity amid the essential

pressure in the oil chamber, to leave the

valve open and the real pressure implied,

and thereby may instigate that the oil

pressure is insufficient to leave it open

which makes it to close


nitrogen chamber essential to close the

valve possibly will produce that the

pressure implied is greater than the

required pressure and this could instigate

the valve to be closed


Manufacturing flaws

SAFETY CONSTRAINTS 3-6:




………………………………………………………………………………………………


is a SGTR and support systems are

insufficient

SC 4: MSIV must not be closed in advance

when the SG pressure is extremely high

SC 5: MSIV should not be closed belatedly



SC 6: MSIV sshould not be closed when

there is no rupture/leakage

Basic Scenario: DAS does not provide Close

MSIV command, but MSIV closes

PRIORITY MODULE

PM retains the execution of command

requests because of interlock dispensed

by PS resulting in postponing a new

command

PM obtains close command from another

controller

Incorrect precedence set

Does not make out PS or manual

command


Multiplex broken

Inconsistent commands are shown

(operator/PS, PS/DAS, etc.)17


Manufacturing flaws


MSIV SENSOR

Describes the device that is non-

functional when it is

Depicts the valve position as closed when

it is open or only to some extent closed



MSIV ACTUATOR

The oil pump could have mechanical

glitches that produce the valve to

inevitably be left open that causes

postponement

The guides are de-energized and the

dump valve opens that will close the

valve ahead in time

Mechanical disaster in the dump valve




………………………………………………………………………………………………

Mechanical disaster leaves the hydraulic

oil from lower chamber and closes the

valve

Examination of closure brings about to be

accidentally shut


Manufacturing shortcomings


MSIV VALVE

Leakage in the upper chamber drives the

pressure to be inadequate to close the

valve at the correct time causing

postponement

A gap amongst the essential pressure in

the oil chamber to retain the valve open

and the tangible pressure implied

possibly will make the oil pressure to be

insufficient to keep it open which will

make it to close

A gap amid the least pressure in the

nitrogen chamber needed to close the

valve might instigate that the pressure

implied is more than what is required

which will make the valve to be closed


Manufacturing deficiencies

3.7.3 PS Causal Factors

Causal Factors Leading to PS Unsafe

Control Actions (Refer Fig. 14)

UCA 1: Close MSIV not offered when a

leakage occurs (rupture in the SG tube, leak

in main feedwater, or leak in main steam line)

and the support systems are ample


(CVCS OR EMERGENCY

FEEDWATER SYSTEM)

A synchronized state that can conceal the

other


time consuming

Actuation of CVCS will replace the

damage caused to the coolant inventory

driving PS delay actuation.

PROCESS FEEDBACK


improper


Steam generator water level deferred




………………………………………………………………………………………………


designated

Contradictory data specifying a

fabricated state

Voting system will function incorrectly

giving faulty measures


Sensor failure

OUTSIDE INFORMATION

PZR pressure postponed

PZR response omitted

Incorrect response specifies that the PZR

level is normal


Deferred sign of SI started



divisions

PS-PROTECTION SYSTEM

PS will not know if the Steam Generator

is ruptured

PS will not know if there is a leakage in

the main steam line


the main feedwater

There is a deficit of power supply in PS

PS uses wrong algorithm

PS has a manufacturing flaw


There is no electric power

PS has erroneous process model


there is a main feedwater or main steam line

leakage and other support systems are scarce


(CVCS OR EMERGENCY

FEEDWATER SYSTEM)

A concomitant condition that conceals

the other


time consuming

Actuation of CVCS will be a replacement

for the damage caused to the coolant

inventory driing PS interrupt actuation.




………………………………………………………………………………………………

PROCESS FEEDBACK


improper




incorrect condition

Voting system will function improperly



Sensor failure

OUTSIDE INFORMATION


PZR response omitted

Incorrect response specifies that the PZR

level is normal


Overdue sign of SI started


Incorrect arrangement of pointers from

the 4 divisions



the main steam line


the main feedwater

PS will assume that there is an SGTR

when there is really a main steam line or

feedwater leakage

There is a deficit of power supply in the

PS

PS uses wrong algorithm

PS has an improper process model

PS has a manufacturing fault




a SGTR but support systems are scarce


A parallel condition will conceal the

other and other support systems will seem

to be sufficient




………………………………………………………………………………………………

PROCESS FEEDBACK



Steam generator water level incorrect

Inconsistent data signifying a wrong

condition

Voting system functions

inappropriately providing incorrect

measures

Sensor failure

OUTSIDE INFORMATION


divisions

PZR pressure postponed or lost

Wrong indication SI started


PS will not know if the support systems

are inoperable attributed to the

inconsistent data

PS assumes that there is a leakage in the

main steam line or feedwater it is in fact

an SGTR

PS has a poor algorithm

PS has an incorrect process model

PS closes valve when the other SG valves

are in upkeep

PS has a manufacturing fault


Manufacturing deficiencies

No electric power

UCA 4: Close MSIV provided ahead of time



A coexisting condition will conceal the

other

Event progresses too slowly to detect

Actuation of CVCS will act as a

substitute for the damage caused to the

coolant inventory delaying PS actuation.

PROCESS FEEDBACK



Steam generator water level deferred




………………………………………………………………………………………………


specified

Inconsistent data signifying a wrong

condition

Voting system will function incorrectly

giving improper measures

Sensor failure

OUTSIDE INFORMATION


PZR response lost

Wrong response designates that the PZR

level is normal




Incorrect mixture of pointers from the 4

divisions



PS has contradictory data signifying it is

now safe to start action subsequently

indicates approved rupture/leakage


Manufacturing shortcomings


UCA 5: Close MSIV provided belatedly after

rupture/leakage (in the SG tube, main



A simultaneous condition will conceal

the other


time consuming

Actuation of CVCS will be a substitute

for the damage to the coolant inventory

driving PS delay actuation.

PROCESS FEEDBACK





specified

Inconsistent data signifying an incorrect

condition




………………………………………………………………………………………………

Voting system will work incorrectly

giving improper measures

Sensor failure

OUTSIDE INFORMATION


PZR response lost


normal


No sign of incomplete cool down started


Incorrect arrangement of pointers from

the 4 divisions


PS will not know the actual condition

until it is too late subsequent to SGTR

PS will not know the actual condition

until it is too late subsequent to the main

steam line or feedwater leakage


PS has an erroneous process model

PS has a manufacture fault


Electric power shortage


no rupture/leakage


Feedwater pumps functioning incorrectly

Condenser leaking

Excessive mud in water

Objects in water that could cut fluidity to

SG

False opening of relief valves

PROCESS FEEDBACK


SG Pressure less

Steam generator water level postponed

Wrong SG seclusion signal

Main steam line activity

Contradictory data signifying a wrong

condition where the close valves are

required




………………………………………………………………………………………………

Voting system will work incorrectly and

provides incorrect wrong measures

Sensor Failure

OUTSIDE INFORMATION


PZR response lost

Incorrect PZR pressure

Incorrect response specifies PZR level is

small

Incorrect sign of start of SI

Wrong Fractional cool down started

indication

Startup/shutdown unrecognized

Incorrect grouping of pointers from the

4 divisions


PS has incorrect data specifying Steam

Generator tubes are ruptured when they

are not

PS has incorrect evidence demonstrating

that main steam line or feedwater has a

leakage when they do not

PS has an erroneous process model


PS has a manufacture flaw



CAUSAL FACTORS LEADING TO PS

CONTROL ACTIONS NOT BEING

FOLLOWED (Refer Table 15)

SC 1: MSIV should be closed if a leakage is

detected (rupture in the SG tube, leak in main

feedwater, or leak in main stream line) and

the support systems are acceptable.

SC 2: MSIV should be closed if a leakage is

detected in the main feedwater or main steam

line leak and other support systems are

insufficient.

Basic Scenario: PS provides Close MSIV

command, but MSIV does NOT close

PRIORITY MODULE

Incorrect precedence set that instigates

the PM to overlook the close command

Does not distinguish PS command





………………………………………………………………………………………………

Multiplex is faulty

An operation is highly time consuming

than anticipated and PM overlooks the

new commands

Two contradictory action commands

arise simultaneously from dissimilar

controllers: the first one with less

precedence than the second one

PM obtained an interlock command from

PS that is not which is not eliminated

hence PM will not take new commands.





MSIV SENSOR

Describes the device as functional when

it is not

Describes the valve position as open

when it is not




MSIV ACTUATOR


and the MSIV is by now open, then it

inevitably stays open for some time

Mechanical failure in the dump valves

that stop the oil from reaching the tank

Residue or remains stop the valve to be

closed that drives it to be open


chamber is insufficient to close the valve

Upper chamber is in upkeep to reinstate

pressure

Dump valves are closed attributed to

mechanical failures




MSIV VALVE

Leakage in the upper chamber generates

less pressure which is insufficient to close

the valve at the correct time, causing

postponement




………………………………………………………………………………………………

A disparity amid the required pressure in

the oil chamber to leave the valve open

and the real pressure implied possibly

will cause the oil pressure to be less and

insufficient to keep it open resulting in

closing it


nitrogen chamber required to close the

valve might set off the pressure implied

which is greater than the required

pressure thus causing the valve to be

closed



SAFETY CONSTRAINTS 3-6

SC 3: MSIV should not be closed when there

is a SGTR and support systems are not

sufficient

SC 4: MSIV should not be closed way ahead

of time while SG pressure is excessively high

SC 5: MSIV should not be closed belatedly



SC 6: MSIV should not be closed when there

is no rupture/leakage

Basic Scenario: PS will not provide Close

MSIV command, but MSIV closes

PRIORITY MODULE

PM controls the execution of command

requests because of the interlock

dispensed by PS which instigates an

overdue in a new command

Incorrect precedence settings

Does not identify PS or manual command


Multiplex is faulty


(operator/PS, PS/DAS, etc.)22



MSIV SENSOR

Describes the device as inoperable when

it is

Depicts the valve position as closed when

it is open or only partly closed






………………………………………………………………………………………………


MSIV ACTUATOR

The oil pump could face mechanical

problems that trigger the valve to

inevitably be kept open that causes an

overdue

The guides are de-energized and then the

dump valve opens that will close the

valve way ahead of time

Mechanical fiasco in the dump valve

Mechanical failure tips the hydraulic oil

from lower chamber and closes valve

Examination of closure reasons it to be

unintentionally closed




MSIV VALVE

Leakage in the upper chamber builds less

pressure that is insufficient to close the

valve at the correct time causing overdue

A disparity amid the essential pressure in

the oil chamber, to have the valve open

and the real pressure used, will lead to the

oil pressure insufficient to leave it open

that leads to closing it.


nitrogen chamber required to close the

valve could lead to the pressure applied

that is greater than the required pressure

which will possibly instigate the valve to

be closed



EXTENSION TO MULTIPLE STEAM

GENERATORS

Up until now, the investigation has measured

a single Steam Generator and a single MSIV.

Yet, the outcomes can be protracted to

manifold Steam Generators devoid of

reiterating the complete investigation. One

method is to review the current background

tables to replicate the control action “Close

MSIV #1”. For the reason that any feedwater

or steamline leak relating to SG #1 will mark

the control action “Close MSIV #1” in an

analogous method as for the single SG

system, these columns can continue to be

similar. Likewise, a Steam Generator Tube

Rupture in SG #1 is pertinent to the shutting

of MSIV #1, nevertheless a Steam Generator




………………………………………………………………………………………………

Tube Rupture in other Steam Generators has

no impact on the closure of MSIV #1. Thus,

the values in the column Steam Generator

Tube Rupture may well be substituted with

“SG #1 ruptured” and “SG #1 not ruptured”,

at the same time as retaining the remnants of

the table as it is. Correspondingly, the

subsequent table can then be transformed for

the further three MSIV commands by merely

swapping #1 with #2, #3, or #4. If all the

surplus SG can reimburse for the heat

exchange completed by another SG then the

description of “other support systems” in will

be prolonged to consist of the other SGs.

LIMITATIONS OF THIS ANALYSIS

This research does not comprise of a

comprehensive low-level evaluation through

to the distinct mechanisms including PLDs

inside PM. The researchers lacked time as

well as resources in this research grant to

evaluate down to that level which was not the

purpose of the research. While STPA is a top-

down evaluation, this assessment was carried

out from the highest level (accidents and

hazards) downward to the component level to

detect the control defects which instigate

accidents. The possible defects and safety

restraints that were obtained must be the

initial point for a thorough evaluation. For

instance, it was detected that the system was

designed in a way that an erroneous

precedence set would lead to an accident

particularly if MSIV close commands are

disregarded. Further, there are several

possibilities such as changing the system

architecture or imposing limitations on lower

levels that would avert the accidents.

Imposing limitations is obtained by making

the precedence settings static inside the PM

and eliminating the programmability to

ensure that MSIV commands are never

disregarded by the PM internal logic and

PLD design. Indubitably all the possible

elucidations should be reviewed to guarantee

other safety limitations are not desecrated

and new accidents are not presented.

RESULTS OF THE ANALYSIS

While this research included a restrained

segment of the secondary cooling system,

there are few significant perceptions that are

consequential from it by assessing the reason

of UCA for the presumed situations. For

instance, the trouble of discovering a Steam

Generator Tube Rupture (SGTR) by means

of a normal indicator, leads to a postponed

response by the automatic controllers and the

operator. The present result depends upon the

operator’s capability to ascertain and

arbitrate in specific cases. Trusting on the

operator, contrariwise possibly will not be




………………………………………………………………………………………………

useful due to aspects that impact the operator

administrative process. Such aspects are

recognized in STPA Step 2 as conceivable

reasons for the operator not to offer the

control action to close the MSIV or to make

it available belatedly. The recognized aspects

ought to be employed to enhance the design

and make it error-free.

A rational suggestion for instance, is for

regulators to inquire the designers to make

the indicators easier for the case of SGTR by

producing the level of radiation at the Main

Steam Line a main sign to segregate the

concerned SG. Hence, the Protection System

(PS) will ascertain the occurrence

beforehand. In the present design, a signal of

radioactivity is inadequate for the PS to take

action. Consequently, there are extra

situations wherein the operator and the PS

will take action. The operator can sense a

constrain to avert bogus closures and they

will have to delay to obtain convincing

confirmation of the actual difficulty. Such

responses are common recognized by human

components in several true accidents. While

there may be circumstances wherein,

subsequent to years of work, the operator

acquires knowledge on the automated

controls that deal with occurrences and turns

out to be more confident in its right operation.

The over-dependability will indicate non-

action or suspended action despite other

evaluations have presumed the operators may

instantly respond.

However attributed to inclination of the

nuclear industry towards acknowledging the

operator or specific devices, the evaluation

for the accidents are required to be done by

the operator that ought to ascertain and solve

the issues suitably in any circumstance. This

is achieved by the evaluation of insignificant

cases against the severe cases. STAMP offers

a generic replacement that comprises of

impending circumstances to the damages and

is able to indicate the operators and the

erroneous situations in the design in order to

ascertain the shortcomings of the system.

It is significant to recognize the elements in

which a constituent such as the operator,

possibly will not perform effectively and

expend those elements to enhance the design

of the system. The substitute is to merely

denunciate the operators subsequent to an

accident for being unable to know and

resolve the issue as expected. Newer NPP

designs are employing the operators in an

extremely automatic setting and expressing

that the PS is able to cope with majority of

the concerns. There are several refined

circumstances wherein the PS will be




………………………………………………………………………………………………

inoperable, or in the worst case overlook the

issues and not warning the operator since it is

expected that the operator will find the issue

and solve it. Supposing that A is not safety-

critical as B subsists as a substitute to A and

that B is not safety-critical since it is just a

substitute system and drives to rational

questions and, supposedly accidents. A worst

case evaluation is essential which will

presume that there may be design faults or

common-cause/common-mode failures in A

and B.

With the emergence of digital systems the

concerns are aggravated. Software lets

exceedingly multifaceted systems to be

shaped. Despite the fact that classifying the

safety-critical against the non-safety-critical

constituents in a NPP was comparatively

forthright for mainly the electromechanical

designs, the all-encompassing usage of

software enables a highly composite design

than was available earlier and the prospects

for accidental and sudden interfaces amid the

constituents. When there are higher number

of interfaces amid the system constituents

and there are highly multifaceted functional

design, the prospects for accidental impacts

are high, thus there arise more chances for

UCA that can drive towards dangers.

It is highly difficult to incorporate exhaustive

system testing with software-intensive

systems. In the event of testing each

constituent of the system exhaustively, it will

not ensure system safety. The interfaces amid

the PM and other controllers and equipment

are in a way that all the constituents are able

to function in a feasible way in regard to the

local environment and information that was

found. However, from a universal systems

point of view the amalgamated behavior of

numerous constituents might be unsafe. For

instance, aforementioned, the PS might not

take action in several circumstances in which

the operator involvement is necessary. The

operator might pause for the automatic PS to

take action. The STPA investigation in this

case study was restricted in latitude to the

MSIV commands and openly accessible

material, nevertheless an additionally

comprehensive STPA evaluation appears

reasonable because of the vital prominence of

this equipment in the control system.

By means of a hazard analysis system

grounded on STAMP lets a broad analysis

that comprises of measures wherein there

was no failure but the hazards mount

attributed to unsafe connections between

constituents. Detecting the shortcomings in

the general PWR design is likely by means of




………………………………………………………………………………………………

STPA as STPA analysis investigates the

connections between the controllers and

system constituents. These flaws are

implausible to be detected by hazard analysis

methods which were on the basis of the

suppositions concerning the accidents as a

result of chains of failure of the constituents.

While there are just few faults that can be

detected in the analysis, a comprehensive and

thorough modeling and analysis would reveal

higher elucidations.

POTENTIAL USE OF STPA IN

LICENSING

STAMP offers a detailed foundation for

examining safety and licensing NPPs. The

benefits of STAMP are outlined below.

CLASSIFICATION OF COMPONENTS

AS SAFETY-RELATED VS. NON-

SAFETY-RELATED

In the NPPs, ascertaining the safety-critical

versus non-safety-critical constituents was

comparatively simpler for main

electromechanical designs. However, the

ample usage of software enables a highly

multifaceted design and the likelihood of

accidental and unforeseen interfaces amid the

constituents. STPA will not commence with

a notion that some equipment or controllers

are safety-related and non-safety-related.

Rather, a significant set of output of STPA is

a set of UCA for all the controllers examined

and their impact on a danger. The UCA that

are detected in Step 1 delineate the

contribution of a controller to a dangerous

condition. The output of STPA hence can be

employed to categorize the constituents as

safety-related or non-safety-related or to

validate a current arrangement. STPA Step 2

drives ahead regarding all the constituents—

comprising sensors, actuators, logic devices,

and communication paths—can give to

dangerous circumstances. Experts are able to

detect the hazardous behavior pertinent to the

interfaces amidst the constituents that else

would not be apprehended by outdated

analyses.

While there must be liberty among the safety-

related and non-safety-related controllers as

categorized in the U.S. EPR system, the

STPA analysis on the case study system

illustrates that few systems that were

categorized as non-safety-related may even

now give to hazardous situations and are not

really autonomous from safety-related

systems and tasks. Considering NSSC, which

is demarcated as a non-safety related

controller, might obstruct or delay the

efficacious closure of the MSIV as required

by stating an inaccurate response to the

operator or operating in unsafe or startling




………………………………………………………………………………………………

manner after getting a close MSIV command

from the operator. As follows, by means of

the communication with many safety-related

controllers, NSSC is able to impact their

capacity to achieve their safety-related

functions.

IDENTIFYING POTENTIAL

OPERATOR ERRORS AND THEIR

CAUSES AND SAFETY CULTURE

FLAWS

STAMP/STPA considers the operator as a

vital part of the system and consequently an

important part of the hazard analysis. Aspects

including “pressure to save time and money”

are noted as hazardous such as a mechanical

failure of a constituent and can be

apprehended in this method.

BROADENING THE ANALYSIS AND

OVERSIGHT

Several facets of the general socio-technical

system can similarly be comprised in the

STPA analysis while they were not

encompassed in the case study for this report.

The NRC has accountability for supervision

of the safety culture and many facts of the

NPP operations. The addition of social,

organizational, and decision-making features

in the hazard analysis might classify possible

hazards and foremost indicators of growing

hazards that the regulators can utilize to

check the effectiveness by the services.

ASSISTING IN UNDERSTANDING

APPLICANT FUNCTIONAL DESIGNS

The exemplary of the safety control structure

built as fragment of the STPA analysis can

benefit the supervisory consultants to enrich

their perception of the practical design of the

system and to assist in interaction and

transactions with claimants. In execution of

this case study, it was revealed that the

current records for the system gave a

complete depiction of the physical design;

then again there was complexity in mining

the functional or logical design from these

records. The control structure illustrations

will aid in offering this information and

recognizing the lost data or indefinite design

explanations.

The records for STPA will similarly simplify

the deliberations among the authorities from

diverse fields, who are bound to express in a

diversity of technical languages and may

have dissimilar outlooks and precedence. It

was then found that by using a control

structure model of the system, it could benefit

with communication between varied groups

regarding the functionality that was initially

given by the system design.




………………………………………………………………………………………………

ENHANCING THE REVIEW OF

CANDIDATE DESIGNS

STAMP/STPA also may aid by posing as a

platform to offer the consultants with an

expansive and highly general understanding

of the system and can discover surprising or

unforeseen behavior that arises from the

compound interfaces that befall. This

method, aforementioned, has the gain in

capturing human as well as equipment

behavior in the same control-theoretic model.

As the system is molded in a combined

control structure instead of making an

allowance for the constituents in remoteness,

consultants can envisage flaws that otherwise

were impossible.

The Step 1 tables will offer an extensive array

of circumstances that possibly will direct to

UCAs pertinent to the known dangers. These

tables reflect the opportunities of events and

do not rely on the accessibility or correctness

of probabilistic estimations that labels

STAMP/STPA as an influential device to

support in documentation and licensing. All

the UCAs could be unswervingly and

effortlessly transformed into component-

level safety limitations that might be

associated with the safety prerequisites of a

current design to discover the irregularities,

disparities, or incompleteness. The Step 2

analysis leads the detection of probable

reasons of the UCAs and different methods

through which the safety constraints can in

theory are disrupted. These outcomes may

correspondingly be implemented as a manual

for the experts to produce a set of

prerequisites or vindication events that the

licensee has to conform to. In conclusion, the

outcomes of this case study are beneficial as

a foundation to produce several other

constraints that have not been ascertained,

due to the likelihood of rise of newer disputes

subsequent to the understanding of the Step 1

and Step 2 findings.




………………………………………………………………………………………………

LIST OF FIGURES:

Figure 1: Controller comprising of a process model




………………………………………………………………………………………………

Figure 2: An example safety control structure




………………………………………………………………………………………………

Figure 3: Example Safety Control Structure for the Operating Process in Figure 2

Figure 4: Simple Safety Control Loop for a Train Door Controller




………………………………………………………………………………………………

Figure 5: Structure of a UCA

Figure 6: A classification of causal factors leading to risks




………………………………………………………………………………………………

Figure 7: Pressurized Water Reactor (Diagram from AREVA Brochure)

Figure 8: PWR Safety Control Structure




………………………………………………………………………………………………

Figure 9: Safety Control Structure for MSIV




………………………………………………………………………………………………

Figure 10: Causal Factors Leading to Operator UCA




………………………………………………………………………………………………

Figure 11: Causal Factors Leading to Operator Control Actions Not Being Followed




………………………………………………………………………………………………

Figure 12: Causal factors leading to DAS UCA




………………………………………………………………………………………………

Figure 13: Causal factors leading to DAS control actions not being followed




………………………………………………………………………………………………

Figure 14: Causal Factors for PS UCA




………………………………………………………………………………………………

Figure 15: Causal factors leading to PS control actions not being followed




………………………………………………………………………………………………

LIST OF TABLES:

Table 1: Examples of accidents

Table 2: UCA for Simple Train Door Controller

Table 3: Example background table with type provided




………………………………………………………………………………………………

Table 4: Example background table with type not provided

Table 5: System-level accidents to be stopped




………………………………………………………………………………………………

Table 6: System-Level risks

Risk Related Accident

R-1: Release of radioactive materials A-1, A-2

R-2: Reactor temperature too high A-1, A-2, A-3, A-4

R-3: Equipment operated beyond limits A-3, A-4

R-4: Reactor shut down A-4

Table 7: UCA for close MSIV




………………………………………………………………………………………………

Table 8: Background table for Operator provides Close MSIV control action




………………………………………………………………………………………………

Table 9: Background table for Close MSIV control action is not provided




………………………………………………………………………………………………

Table 10: Safety Constraints

Unsafe Control Action Safety Constraint

UCA 1: Close MSIV not provided when there is

a SC 1: MSIV must be closed when there is a leak

leak (rupture in the SG tube, leak in main (rupture in the SG tube, leak in main feedwater,

or

feedwater, or leak in main steam line) and the leak in main steam line) and the support systems

support systems are adequate are adequate

UCA 2: Close MSIV not provided when there is

a SC 2: MSIV must be closed when there is a main

main feedwater or main steam line leak and other feedwater or main steam line leak and other

support

support systems are inadequate systems are inadequate

UCA 3: Close MSIV provided when there is a SC 3: MSIV must not be closed when there is a

SGTR but support systems are inadequate SGTR and support systems are inadequate

UCA 4: Close MSIV provided too early (while

SG

SC 4: MSIV must not be closed too early while

SG

pressure is high) pressure is too high

UCA 5: Close MSIV provided too late after SC 5: MSIV must not be closed too late after

rupture/leak (in the SG tube, main feedwater, or rupture/leak (in the SG tube, main feedwater, or

main steam line) main steam line)

UCA 6: Close MSIV provided when there is no SC 6: MSIV must not be closed when there is no

rupture/leak rupture/leak


estimating the safety of digital instrumentation and ...€¦ · to avert mishaps, the system...

Documents